CSF is working but telnet still connects

crenet

Verified User
Joined
Sep 23, 2019
Messages
115
Hi,
I am using CSF and I am trying to block tenet connections from outside.
TCP_IN does not list port 23 but I still can use telnet to connect.
How can I block telnet to connect to open ports ?

OS: Debian 9.3

Thanks
 
Your IP is likely in whitelist. Please take it out of allow list and it should forbid connecting to that port from your IP then.
 
Yep a whitelisted ip bypasses port blocks. You could instead add your ip to csf. Ignore to prevent the firewall from ever blocking it, but leave it out of csf.allow to prevent bypassing closed ports.
 
Hi Martynas,

I do not have IPs in whitelist.
What I do have is my country code in CC_ALLOW_PORTS but no port 23 on CC_ALLOW_PORTS_TCP or CC_ALLOW_PORTS_UDP
And I still connect with telnet.
 
Not Martynas here, but...The allow list is located at /etc/csf/csf.allow. You can check your IPs status with :
Code:
csf -g XXX.XX.XX.XXX
or look in the file for the ip. Are you connecting via IPv6? Is the port blocked in ipv4&6?
 
The IP is not in /etc/csf/csf.allow

and port 23 is not listed inIPv4&6

How can I block telnet ?
 
It seems to be working in my server:

[~]$ telnet 108.XXX.XXX.XXX 23
Trying 108.XXX.XXX.XXX...
telnet: Unable to connect to remote host: Connection refused
[~]$

Maybe confirm the firewall is running and restart it to make sure any recent configuration changes are applied?

Code:
service csf status
service lfd status
csf -ra
 
I am getting this:

csf.service - ConfigServer Firewall & Security - csf
Loaded: loaded (/usr/lib/systemd/system/csf.service; enabled; vendor preset: enabled)
Active: active (exited) since Mon 2019-11-25 05:57:00 -01; 4 days ago
Main PID: 450 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
CGroup: /system.slice/csf.service

service lfd status
● lfd.service - ConfigServer Firewall & Security - lfd
Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2019-11-29 00:00:07 -01; 7h ago
Process: 16622 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
Main PID: 16637 (lfd - sleeping)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/lfd.service
└─16637 lfd - sleeping

Code:
csf -ra
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `CC_ALLOWP'
Flushing chain `CC_ALLOWPORTS'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `SMTPOUTPUT'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `CC_ALLOWP'
Deleting chain `CC_ALLOWPORTS'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Deleting chain `SMTPOUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `ALLOWIN'
Flushing chain `ALLOWOUT'
Flushing chain `CC_ALLOWP'
Flushing chain `CC_ALLOWPORTS'
Flushing chain `DENYIN'
Flushing chain `DENYOUT'
Flushing chain `INVALID'
Flushing chain `INVDROP'
Flushing chain `LOCALINPUT'
Flushing chain `LOCALOUTPUT'
Flushing chain `LOGDROPIN'
Flushing chain `LOGDROPOUT'
Flushing chain `SMTPOUTPUT'
Deleting chain `ALLOWIN'
Deleting chain `ALLOWOUT'
Deleting chain `CC_ALLOWP'
Deleting chain `CC_ALLOWPORTS'
Deleting chain `DENYIN'
Deleting chain `DENYOUT'
Deleting chain `INVALID'
Deleting chain `INVDROP'
Deleting chain `LOCALINPUT'
Deleting chain `LOCALOUTPUT'
Deleting chain `LOGDROPIN'
Deleting chain `LOGDROPOUT'
Deleting chain `SMTPOUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
Flushing chain `PREROUTING'
Flushing chain `OUTPUT'
Flushing chain `PREROUTING'
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'
Flushing chain `POSTROUTING'
csf: FASTSTART loading DROP no logging (IPv4)
csf: FASTSTART loading DROP no logging (IPv6)
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP_IN Blocked* "
LOG  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP_OUT Blocked* "
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP_IN Blocked* "
LOG  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP_OUT Blocked* "
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
LOG  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
LOG  tcp opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *TCP6IN Blocked* "
LOG  tcp opt    in * out *  ::/0  -> ::/0   tcp flags:0x17/0x02 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *TCP6OUT Blocked* "
LOG  udp opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *UDP6IN Blocked* "
LOG  udp opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *UDP6OUT Blocked* "
LOG  icmpv6 opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP6IN Blocked* "
LOG  icmpv6 opt    in * out *  ::/0  -> ::/0   limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP6OUT Blocked* "
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
REJECT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   reject-with icmp-port-unreachable
DROP  all opt    in * out *  ::/0  -> ::/0
REJECT  all opt    in * out *  ::/0  -> ::/0   reject-with icmp6-port-unreachable
DENYOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
DENYIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
ALLOWOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
ALLOWIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
DENYOUT  all opt    in * out !lo  ::/0  -> ::/0
DENYIN  all opt    in !lo out *  ::/0  -> ::/0
ALLOWOUT  all opt    in * out !lo  ::/0  -> ::/0
ALLOWIN  all opt    in !lo out *  ::/0  -> ::/0
csf: FASTSTART loading Packet Filter (IPv4)
csf: FASTSTART loading Packet Filter (IPv6)
DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
INVALID  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
INVALID  tcp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
DROP  all opt    in * out *  ::/0  -> ::/0
INVALID  tcp opt    in !lo out *  ::/0  -> ::/0
INVALID  tcp opt    in * out !lo  ::/0  -> ::/0
csf: FASTSTART loading csf.deny (IPv4)
csf: FASTSTART loading csf.allow (IPv4)
ACCEPT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate NEW tcp dpt:FTP_port
ACCEPT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate NEW tcp dpt:FTP_port
ACCEPT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate NEW tcp dpt:SSH_port
ACCEPT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate NEW tcp dpt:SSH_port
ACCEPT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate NEW tcp dpt:DA_port
ACCEPT  tcp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate NEW tcp dpt:FTP_port
ACCEPT  udp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate NEW udp dpt:FTP_port
ACCEPT  udp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate NEW udp dpt:FTP_port
ACCEPT  udp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate NEW udp dpt:SSH_port
ACCEPT  udp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate NEW udp dpt:SSH_port
ACCEPT  udp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate NEW udp dpt:DA_port
ACCEPT  udp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate NEW udp dpt:FTP_port
csf: FASTSTART loading CC_ALLOW_PORTS [country_code] (IPv4)
csf: FASTSTART loading CC_ALLOW_PORTS [country_code] (IPv4)
CC_ALLOWP  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
CC_ALLOWP  all opt    in !lo out *  ::/0  -> ::/0
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   icmptype 8 limit: avg 1/sec burst 5
LOGDROPIN  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   icmptype 8
ACCEPT  icmp opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
ACCEPT  icmp opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
ACCEPT  icmpv6 opt    in !lo out *  ::/0  -> ::/0
ACCEPT  icmpv6 opt    in * out !lo  ::/0  -> ::/0
ACCEPT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt    in !lo out *  ::/0  -> ::/0   ctstate RELATED,ESTABLISHED
ACCEPT  all opt    in * out !lo  ::/0  -> ::/0   ctstate RELATED,ESTABLISHED
csf: FASTSTART loading TCP_IN (IPv4)
csf: FASTSTART loading TCP6_IN (IPv6)
csf: FASTSTART loading TCP_OUT (IPv4)
csf: FASTSTART loading TCP6_OUT (IPv6)
csf: FASTSTART loading UDP_IN (IPv4)
csf: FASTSTART loading UDP6_IN (IPv6)
csf: FASTSTART loading UDP_OUT (IPv4)
csf: FASTSTART loading UDP6_OUT (IPv6)
ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0
ACCEPT  all opt -- in * out lo  0.0.0.0/0  -> 0.0.0.0/0
LOGDROPOUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
LOGDROPIN  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
ACCEPT  all opt    in lo out *  ::/0  -> ::/0
ACCEPT  all opt    in * out lo  ::/0  -> ::/0
LOGDROPOUT  all opt    in * out !lo  ::/0  -> ::/0
LOGDROPIN  all opt    in !lo out *  ::/0  -> ::/0
SMTPOUTPUT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0
SMTPOUTPUT  all opt    in * out *  ::/0  -> ::/0
csf: FASTSTART loading SMTP Block (IPv4)
csf: FASTSTART loading SMTP Block (IPv6)
csf: FASTSTART loading DNS (IPv4)
csf: FASTSTART loading DNS (IPv6)
LOCALOUTPUT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0
LOCALINPUT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0
LOCALOUTPUT  all opt    in * out !lo  ::/0  -> ::/0
LOCALINPUT  all opt    in !lo out *  ::/0  -> ::/0
● lfd.service - ConfigServer Firewall & Security - lfd
   Loaded: loaded (/usr/lib/systemd/system/lfd.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2019-11-29 07:05:13 -01; 30ms ago
  Process: 2830 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
 Main PID: 2844 (lfd - starting)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/lfd.service
           └─2844 lfd - starting

Thanks a lot for your help
 
When you telnet, are you telnet’ing to a domain or explicitly specifying the server IP?
 
I really don´t know what fix it probably last CSF updates.
Now it´s working fine.

telnet domain.com
Trying xxx.xx.xxx.xx…
telnet: connect to address xxx.xx.xxx.xx: Operation timed out
telnet: Unable to connect to remote host

telnet xxx.xx.xxx.xx
Trying xxx.xx.xxx.xx…
telnet: connect to address xxx.xx.xxx.xx: Operation timed out
telnet: Unable to connect to remote host

Thanks
 
Back
Top